b"                            SOCIAL SECURITY\n                                     May 28, 2004\n\n\nThe Honorable Earl Pomeroy\nRanking Minority Member\nSubcommittee on Oversight\nCommittee on Ways and Means\nHouse of Representatives\nWashington, D.C. 20515\n\nDear Mr. Pomeroy:\n\nIn a March 10, 2004 letter, you asked that we review issues relating to the Social\nSecurity Administration\xe2\x80\x99s (SSA) arrangement for storing National Computer Center\nback-up tapes and records at an off-site vault facility for recovery in the event of a\ndisaster. Your letter raised questions about several issues. On March 18, 2004, we\nresponded to you that we would conduct a review of this activity. The enclosed report\npresents the results of our review.\n\nMy office is committed to combating fraud, waste, and abuse in SSA\xe2\x80\x99s operations and\nprograms. Thank you for bringing your concerns to my attention. The report highlights\nvarious facts pertaining to the issues raised in your letter. To ensure SSA is aware of\nthe information provided to your office, we are forwarding a copy of this report to the\nAgency.\n\nIf you have any questions concerning this matter, please call me or have your staff\ncontact Douglas Cunningham, Assistant Inspector General for Congressional and\nIntra-Governmental Liaison Activities, at (202) 358-6319.\n\n                                               Sincerely,\n\n\n\n\n                                               S\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n                                               Acting Inspector General\n\nEnclosure\n\ncc:\nJo Anne B. Barnhart\n\n\n\n            SOCIAL SECURITY ADMINISTRATION        BALTIMORE MD 21235-0001\n\x0c   CONGRESSIONAL RESPONSE\n          REPORT\nSecurity of the Social Security Administration\xe2\x80\x99s\n    National Computer Center Back-up and\n          Recovery Tapes and Records\n\n                 A-14-04-24101\n\n\n\n\n                   May 2004\n\x0c                                     Mission\n\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                    Authority\n\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\nTo ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                      Vision\n\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration's programs, operations, and management and in\nour own office.\n\x0c                                                                 Background\nOBJECTIVE\nOur objective was to address the issues raised by Congressman Earl Pomeroy in his\nMarch 10, 2004 letter, regarding the Social Security Administration\xe2\x80\x99s (SSA)\narrangement for storing National Computer Center (NCC) back-up tapes and records at\nan off-site vault facility. Specifically, concerns were raised about: (1) the security in the\nstorage of SSA back-up tapes and records; (2) the current contractor\xe2\x80\x99s compliance with\nestablished SSA and industry security standards; and (3) the process recently used by\nSSA to award the off-site storage of magnetic media contract to the incumbent\ncontractor.\n\nBACKGROUND\nSSA backs up software applications and data records from the NCC on magnetic tape\non a daily basis. These tapes are sent to an off-site storage facility (storage facility)\nMonday through Friday. These tapes are used to restore NCC software applications\nand data records in the event that a temporary outage or a disaster occurs. The tapes\nare also used in the SSA annual disaster recovery test. Prior to 1997, back-up tapes\nwere sent twice weekly to the SSA storage facility located in Wilkes-Barre,\nPennsylvania. In 1997, SSA issued a Request-for-Proposal (RFP) for a storage facility\nfor NCC back-up tapes. Three vendors submitted responses. The contract period\nincluded a base year with 4 optional years not to exceed 60 months. This contract was\nawarded to Independent Services Corporation (ISC). In 2003, at the end of the initial\ncontract period, SSA issued a Request-for-Quote (RFQ) for the same services. SSA\nreceived three responses to the RFQ. SSA awarded the new contract to ISC. One of\nthe unsuccessful vendors protested the contract award. SSA is currently revising the\nRFQ for the re-competition of this contract.\n\n\n\n\nSecurity of SSA\xe2\x80\x99s NCC Back-up and Recovery Tapes and Records (A-14-04-24101)                1\n\x0c                                                    Results of Review\nOur review of the concerns raised by Congressman Pomeroy in his March 10, 2004\nletter, determined that: the level of security afforded SSA back-up tapes stored at a\nvendor\xe2\x80\x99s off-site vault storage facility is sufficient, and the current contractor is\nsignificantly compliant with established SSA and industry security standards.\nAdditionally, SSA followed applicable laws, regulations, and policies and procedures in\nawarding this contract to the incumbent contractor.\n\nCONCERN 1: Security in the Storage of SSA Back-Up Tapes and\nRecords at an Off-Site Vault Storage Facility\nWe visited the incumbent contractor\xe2\x80\x99s facility on April 5 and April 20, 2004. We\nobserved that the incumbent contractor\xe2\x80\x99s facility has significant security safeguards in\nplace that include: 1) a certified fire detection and suppression system; 2) a system that\nmonitors and controls the facility\xe2\x80\x99s environment; 3) intrusion detection systems that\ninclude motion, heat and vibration sensors; 4) installation of bullet-proof glass with\nbreakage sensors; 5) contact alarms installed on all doors; and 6) utility monitoring. All\nof these systems are monitored 24 hours a day, 365 days a year. Furthermore, the\nfacility has a redundant power supply. The vault used by ISC to store NCC magnetic\nmedia was certified in 1996 by independent engineers as meeting Department of\nDefense (DOD) criteria for vault construction for the storage of classified information\n(class type 'A' vault). As of April 2004, the engineer will not re-issue the certification for\nthe vault because the engineer was sued by a vendor involved in the contract award\nprotest. Although the certification has not been re-issued, the standards for a class type\n\xe2\x80\x98A\xe2\x80\x99 vault and the configuration of the contractor\xe2\x80\x99s vault have not changed since the vault\nwas certified in 1996.\n\nOur examination of storage facility reviews performed by other auditing entities did not\ndisclose any significant security deficiency with regard to the protection afforded SSA\nback-up magnetic media stored at this location. Our current and prior physical security\nreviews of this facility did not disclose any significant deficiency with respect to the\nadequate protection of SSA data stored at this facility.\n\nBased on our analysis, we believe the contractor is adequately protecting the NCC\nback-up tapes and records stored at this facility.\n\nCONCERN 2: The Current Contractor\xe2\x80\x99s Compliance with Established\nSSA and Industry Standards\n\nThe section on Physical Access Protection in the National Institute of Standards (NIST),\nSpecial Publication 800-12, entitled Introduction to Computer Security, states that the\nlevel of protection for the storage of material at an off-site storage facility should be at\nthe same level as that afforded the same material at the primary site of operations.\nNIST Special Publication 800-34, entitled Contingency Planning Guide for Information\n\n\nSecurity of SSA\xe2\x80\x99s NCC Back-up and Recovery Tapes and Records (A-14-04-24101)                 2\n\x0cTechnology Systems, also gives general factors to be considered in connection with off-\nsite storage of electronic information.1 In addition, the Office of Management and\nBudget (OMB) has published a minimum set of controls to be included in Federal\nautomated information security programs.2 The contract sets the detailed guidelines for\nsecuring the storage facility, and appears to conform to the general guidelines published\nby NIST and OMB, as applicable.\n\nWe believe the contractor has controls and procedures in place to adequately protect\nthe NCC back-up tapes and records. However, we have observed several areas where\nthe contractor may not be in strict compliance with specific detailed mandatory\nrequirements stated in the contract request (RFQ-03-0159). The following addresses\nthese issues.\n\nContractor Facility Located within 25 Miles of SSA\n\nSection B.1 of the contract states \xe2\x80\x9cWith reference to the geographic location of the SSA\ncomplex in Woodlawn, Maryland, the storage facility shall be located at a distance of not\nless than 25 miles and not at a greater distance that will prohibit a two (2) hour\ndrive/delivery time on average.\xe2\x80\x9d This requirement further states \xe2\x80\x9c\xe2\x80\xa625 mile minimum\ndistance (Point-to-Point) is intended to provide adequate separation of geographic\nareas and subsequent protection from fire, flood, earthquakes, and/or other acts of\nnature.\xe2\x80\x9d3 We determined that the incumbent contractor\xe2\x80\x99s facility did not meet the\n25-mile Point-to-Point requirement. Further, we have not observed any industry best\npractices or Federal requirement that mandates a definite distance between the storage\nfacility and the primary operations site. The Federal Emergency Management Agency\nsuggests \xe2\x80\x9c\xe2\x80\xa6storing data off-site where they would not likely be damaged by an event\naffecting your facility.\xe2\x80\x9d4\n\nSSA decided that the storage facility should be close enough so that tapes could be\nsent daily, instead of twice weekly. Additionally, having the storage facility located\nwithin 2 hours of the NCC limits magnetic tape environmental exposure and reduces\ntape retrieval time in the event of a temporary outage or a disaster.\n\nOur review of the statement of work for the re-competing of this contract showed that\nthe mileage requirement is now 20 miles Point-to-Point from the primary site of\noperations. The current storage facility site in question is located beyond the 20 mile\nPoint-to-Point requirement. This distance appears reasonable in light of current Federal\nstandards and meets the new RFQ requirements.\n\n\n\n1\n  The National Institute of Standards and Technology (NIST) is charged with responsibility for developing\nminimum information security requirements for information systems. Federal Information Security\nManagement Act of 2002, Title III, E-Government Act of 2002, P.L. 107-347, December 17, 2002.\n2\n  OMB Circular No. A-130, Security of Federal Automated Information Resources, Appendix III.\n3\n  Point-to-Point refers to door-to-door versus driving mileage which is usually different than Point-to-Point.\n4\n  Emergency Management Guide for Business and Industry, Section 2, Property Protection, Records\nPreservation Page 37.\n\n\nSecurity of SSA\xe2\x80\x99s NCC Back-up and Recovery Tapes and Records (A-14-04-24101)                                 3\n\x0cThe Contractor Facility Is Located within a 1,000 Foot Radius of Stored Paints,\nChemicals and Explosives\n\nAnother RFQ requirement prevents the contractor\xe2\x80\x99s facility from being within a\n1,000 foot radius of any building used for the storage of paints, chemicals or explosives\nof any kind. Our on-site observations made on April 5, 2004, showed that:\n\n    1. the metal water tower located in back of the storage facility appears to be closer\n       than 300 feet;\n\n    2. the two fuel oil tanks, shown in earlier photographs next to the water tower, were\n       removed;\n\n    3. a propane gas tank with a capacity of about 350 gallons is located within a 1,000\n       foot radius of the storage facility; and\n\n    4. drums, of approximately 55 gallon capacity, that are/were used to store\n       chemicals, are within a 1,000 foot radius of the storage facility.\n\nWe also noted that a trench (known as a catchment swale) was installed to divert water\nfrom the water tower should the water tower fail. The local fire department chief\ninformed SSA that the 350-gallon propane gas tank does not pose a significant threat to\nthe storage facility. Our observation of the propane gas tank shows that the storage\nfacility is not adjacent to the propane tank. The building serviced by the propane tank is\nbetween the storage facility and the tank. Also, the drums located across the road at\nanother business that are used to store chemicals were bundled together with the\nnotation of \xe2\x80\x98empty\xe2\x80\x99 written on the plastic wrap. In addition, there were no drums stored\nin the secured fenced-in area of this facility during our visit, nor was there any indication\nthat propane gas was used by this business. Therefore, although these items\ntechnically do not comply with the RFQ, they do not appear to jeopardize the storage\nfacility. We have not found any current industry standards that require set distances for\nthe storage of such materials.\n\nOptional Crisis Copy Facility\n\nA third mandatory contract requirement was that the contractor provide a second\nmagnetic media storage facility for the storage of \xe2\x80\x98crisis copy\xe2\x80\x99 media. Crisis copy media\nis defined as an older/aged set of data that is determined critical to SSA systems\nrecovery in the event that a disaster occurs affecting the NCC, the storage facility, and\nvehicles transporting SSA data during the same period.\n\nSecurity requirements for the optional crisis copy facility are the same as those required\nfor the NCC, and the primary storage facility.5 Our review of the technical evaluations\nand discussions with the Agency disclosed that none of the three vendors met this\n\n5\n National Institute of Standards, Special Publication 800-12, Introduction to Computer Security: Section\non Physical Access Protection.\n\n\nSecurity of SSA\xe2\x80\x99s NCC Back-up and Recovery Tapes and Records (A-14-04-24101)                               4\n\x0crequirement. As a result, the RFQ was amended by SSA to delete this requirement,\nbecause none of the responding vendors would be able to comply. Therefore, the\ndeletion of this requirement from the original RFQ statement of work did not result in a\nchange of status for any vendor, nor did the change result in favoritism.\n\nOur review of the statement of work for the amended RFQ showed that the crisis copy\nfacility is no longer a detailed mandatory requirement.\n\nIndustry Standards and Best Practices\n\nWe have not found any industry standards or best practices that conflict with the current\noperation of the storage facility.\n\nCONCERN 3: The Process Recently Used by SSA to Re-Award the\nOff-site Storage of Magnetic Media Contract to the Incumbent\nContractor\n\nSSA revised terms of the statement of work to more appropriately reflect its needs and\nis currently in the process of re-competing the contract. The current contract will remain\nin effect until the new contract is awarded. We have determined that SSA complied with\nregulatory requirements when it amended the initial RFQ contractor detailed mandatory\nrequirements to reflect SSA\xe2\x80\x99s \xe2\x80\x98true needs.\xe2\x80\x99\n\nOn January 30, 2004, the General Accounting Office (GAO) dismissed a protest that the\ncontract awardee\xe2\x80\x99s facility did not meet various requirements of the RFQ. GAO stated\nthat the re-competing of this contract is the relief it would have recommended had GAO\ndecided the merits in the protester\xe2\x80\x99s favor.\n\nOur examination of the technical evaluations showed that two of the three responders\nwere found technically capable of meeting the statement of work general and detailed\nmandatory requirements, as amended. SSA determined that the award of this contract\nto the incumbent contractor was in the best interest of the Government since the\nincumbent contractor\xe2\x80\x99s proposal is technically qualified and the lowest overall cost. The\ndifference in cost among the three proposals was significant.\n\n\n\n\nSecurity of SSA\xe2\x80\x99s NCC Back-up and Recovery Tapes and Records (A-14-04-24101)               5\n\x0c                                                                  Conclusion\nBased on our review in response to the congressional inquiry, we believe that the\ncontractor is adequately protecting the back-up tapes and that the contract was\nawarded to the contractor who is technically competent and offers the best value to\nSSA.\n\n\n\n\nSecurity of SSA\xe2\x80\x99s NCC Back-up and Recovery Tapes and Records (A-14-04-24101)          6\n\x0c                                          Appendices\n  Appendix A \xe2\x80\x93 Acronyms\n  Appendix B \xe2\x80\x93 Scope and Methodology\n\n\n\n\nSecurity of SSA\xe2\x80\x99s NCC Back-up and Recovery Tapes and Records (A-14-04-24101)\n\x0c                                                                        Appendix A\n\nAcronyms\n    DOD                Department of Defense\n\n    GAO                General Accounting Office\n\n    ISC                Independent Services Corporation\n\n    NCC                National Computer Center\n\n    NIST               National Institute of Standards and Technology\n\n    OMB                Office of Management and Budget\n\n    RFP                Request-for-Proposal\n\n    RFQ                Request-for-Quotation\n\n    SSA                Social Security Administration\n\n\n\n\nSecurity of SSA\xe2\x80\x99s NCC Back-up Tapes and Records (A-14-04-24101)\n\x0c                                                                       Appendix B\n\nScope and Methodology\nTo answer the Congressman\xe2\x80\x99s questions related to the Social Security Administration\xe2\x80\x99s\n(SSA) use of an off-site storage facility (storage facility), we:\n\n   \xe2\x80\xa2   Reviewed relevant contract documentation and the revised Request for\n       Quotation;\n\n   \xe2\x80\xa2   Reviewed SSA\xe2\x80\x99s policies and procedures and industry best practices regarding\n       the storage of back-up tapes and records;\n\n   \xe2\x80\xa2   Conducted interviews with SSA personnel involved with the processes of the\n       awarding and protest activities associated with this contract;\n\n   \xe2\x80\xa2   Reviewed other audit reports involving an assessment of physical security of the\n       storage facility and Disaster Recovery; and\n\n   \xe2\x80\xa2   Conducted a physical security review of the contractor\xe2\x80\x99s storage facility in\n       April 2004.\n\nOur work was conducted at the Headquarters complex in Baltimore and the storage\nfacility in New Windsor, Maryland during March and April 2004. We conducted our\nreview in accordance with the President\xe2\x80\x99s Council on Integrity and Efficiency\xe2\x80\x99s Quality\nStandards for Inspections.\n\n\n\n\nSecurity of SSA\xe2\x80\x99s NCC Back-up Tapes and Records (A-14-04-24101)\n\x0c                                  DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of Representatives\nChairman and Ranking Minority Member, Committee on Government Reform and Oversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of Representatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services, Education and Related\nAgencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human Services, Education and\nRelated Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                   Overview of the Office of the Inspector General\n\n\n                                        Office of Audit\nThe Office of Audit (OA) conducts comprehensive financial and performance audits of the\nSocial Security Administration\xe2\x80\x99s (SSA) programs and makes recommendations to ensure that\nprogram objectives are achieved effectively and efficiently. Financial audits, required by the\nChief Financial Officers' Act of 1990, assess whether SSA\xe2\x80\x99s financial statements fairly present\nthe Agency\xe2\x80\x99s financial position, results of operations and cash flow. Performance audits review\nthe economy, efficiency and effectiveness of SSA\xe2\x80\x99s programs. OA also conducts short-term\nmanagement and program evaluations focused on issues of concern to SSA, Congress and the\ngeneral public. Evaluations often focus on identifying and recommending ways to prevent and\nminimize program fraud and inefficiency, rather than detecting problems after they occur.\n\n                               Office of Executive Operations\nThe Office of Executive Operations (OEO) supports the Office of the Inspector General (OIG)\nby providing information resource management; systems security; and the coordination of\nbudget, procurement, telecommunications, facilities and equipment, and human resources. In\naddition, this office is the focal point for the OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act. OEO is also responsible for performing internal reviews to ensure\nthat OIG offices nationwide hold themselves to the same rigorous standards that we expect from\nSSA, as well as conducting investigations of OIG employees, when necessary. Finally, OEO\nadministers OIG\xe2\x80\x99s public affairs, media, and interagency activities, coordinates responses to\nCongressional requests for information, and also communicates OIG\xe2\x80\x99s planned and current\nactivities and their results to the Commissioner and Congress.\n\n                                    Office of Investigations\nThe Office of Investigations (OI) conducts and coordinates investigative activity related to fraud,\nwaste, abuse, and mismanagement of SSA programs and operations. This includes wrongdoing\nby applicants, beneficiaries, contractors, physicians, interpreters, representative payees, third\nparties, and by SSA employees in the performance of their duties. OI also conducts joint\ninvestigations with other Federal, State, and local law enforcement agencies.\n\n                              Counsel to the Inspector General\nThe Counsel to the Inspector General provides legal advice and counsel to the Inspector General\non various matters, including: 1) statutes, regulations, legislation, and policy directives\ngoverning the administration of SSA\xe2\x80\x99s programs; 2) investigative procedures and techniques;\nand 3) legal implications and conclusions to be drawn from audit and investigative material\nproduced by the OIG. The Counsel\xe2\x80\x99s office also administers the civil monetary penalty program.\n\x0c"